From: Greg Kroah-Hartman Date: Sat, 5 Feb 2022 13:41:30 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.10.98~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=301cdafefe55ea69094d756bb6595a2ac85f1d2a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch --- diff --git a/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch new file mode 100644 index 00000000000..cab52d712ae --- /dev/null +++ b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch @@ -0,0 +1,54 @@ +From 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:51 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() + +From: Mark Brown + +commit 817f7c9335ec01e0f5e8caffc4f1dcd5e458a4c0 upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-2-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -327,13 +327,27 @@ int snd_soc_put_volsw(struct snd_kcontro + if (sign_bit) + mask = BIT(sign_bit + 1) - 1; + +- val = ((ucontrol->value.integer.value[0] + min) & mask); ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; ++ val = (val + min) & mask; + if (invert) + val = max - val; + val_mask = mask << shift; + val = val << shift; + if (snd_soc_volsw_is_stereo(mc)) { +- val2 = ((ucontrol->value.integer.value[1] + min) & mask); ++ val2 = ucontrol->value.integer.value[1]; ++ if (mc->platform_max && val2 > mc->platform_max) ++ return -EINVAL; ++ if (val2 > max - min) ++ return -EINVAL; ++ if (val2 < 0) ++ return -EINVAL; ++ val2 = (val2 + min) & mask; + if (invert) + val2 = max - val2; + if (reg == reg2) { diff --git a/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch new file mode 100644 index 00000000000..07b72acdae6 --- /dev/null +++ b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch @@ -0,0 +1,41 @@ +From 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:52 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() + +From: Mark Brown + +commit 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-3-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -441,8 +441,15 @@ int snd_soc_put_volsw_sx(struct snd_kcon + int err = 0; + unsigned int val, val_mask, val2 = 0; + ++ val = ucontrol->value.integer.value[0]; ++ if (mc->platform_max && val > mc->platform_max) ++ return -EINVAL; ++ if (val > max - min) ++ return -EINVAL; ++ if (val < 0) ++ return -EINVAL; + val_mask = mask << shift; +- val = (ucontrol->value.integer.value[0] + min) & mask; ++ val = (val + min) & mask; + val = val << shift; + + err = snd_soc_component_update_bits(component, reg, val_mask, val); diff --git a/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch new file mode 100644 index 00000000000..61f7fdf5092 --- /dev/null +++ b/queue-4.9/asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch @@ -0,0 +1,33 @@ +From 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 24 Jan 2022 15:32:53 +0000 +Subject: ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() + +From: Mark Brown + +commit 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d upstream. + +We don't currently validate that the values being set are within the range +we advertised to userspace as being valid, do so and reject any values +that are out of range. + +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124153253.3548853-4-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/soc-ops.c ++++ b/sound/soc/soc-ops.c +@@ -915,6 +915,8 @@ int snd_soc_put_xr_sx(struct snd_kcontro + unsigned int i, regval, regmask; + int err; + ++ if (val < mc->min || val > mc->max) ++ return -EINVAL; + if (invert) + val = max - val; + val &= mask; diff --git a/queue-4.9/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch b/queue-4.9/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch new file mode 100644 index 00000000000..7c0f03776fc --- /dev/null +++ b/queue-4.9/drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch @@ -0,0 +1,42 @@ +From 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a Mon Sep 17 00:00:00 2001 +From: Nick Lopez +Date: Sat, 22 Jan 2022 01:19:06 -0700 +Subject: drm/nouveau: fix off by one in BIOS boundary checking + +From: Nick Lopez + +commit 1b777d4d9e383d2744fc9b3a09af6ec1893c8b1a upstream. + +Bounds checking when parsing init scripts embedded in the BIOS reject +access to the last byte. This causes driver initialization to fail on +Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working +console. + +This is probably only seen on OpenFirmware machines like PowerPC Macs +because the BIOS image provided by OF is only the used parts of the ROM, +not a power-of-two blocks read from PCI directly so PCs always have +empty bytes at the end that are never accessed. + +Signed-off-by: Nick Lopez +Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image") +Cc: # v4.10+ +Reviewed-by: Ilia Mirkin +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20220122081906.2633061-1-github@glowingmonkey.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c +@@ -38,7 +38,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 + *addr += bios->imaged_addr; + } + +- if (unlikely(*addr + size >= bios->size)) { ++ if (unlikely(*addr + size > bios->size)) { + nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr); + return false; + } diff --git a/queue-4.9/series b/queue-4.9/series index 0f1cf4b31c0..4c1498e4d0d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -30,3 +30,7 @@ net-amd-xgbe-ensure-to-reset-the-tx_timer_active-flag.patch net-amd-xgbe-fix-skb-data-length-underflow.patch rtnetlink-make-sure-to-refresh-master_dev-m_ops-in-__rtnl_newlink.patch af_packet-fix-data-race-in-packet_setsockopt-packet_setsockopt.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_volsw_sx.patch +asoc-ops-reject-out-of-bounds-values-in-snd_soc_put_xr_sx.patch +drm-nouveau-fix-off-by-one-in-bios-boundary-checking.patch